Schneier on Security
JANUARY 31, 2019
A year ago , the Norwegian Consumer Council published an excellent security analysis of children's GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children. A recent analysis checked if anything had improved after that torrent of bad press. Short answer: no. Guess what: a train wreck.
Adam Levin
JANUARY 28, 2019
Sidewalk Labs, a subsidiary of Google’s parent company Alphabet, is the go-to story for Data Privacy Day with its new “user-friendly” tool called Replica, which allows city planners see “how, when, and where people travel in urban areas.”. The Intercept’s explainer details a troubling use of consumer data. “Thanks for all you do,” could be Replica initiative’s tagline, since it seems to aggregate a huge amount of presumably phone-generated data to model the way cities work.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Troy Hunt
FEBRUARY 1, 2019
I'm pumping this weekly update out a little bit later, pushing it just before I get on the plane back home to Australia. I've just wrapped up a week in London with Scott doing all things NDC including a couple of days of workshops and a couple of talks each. We discuss that, and how the UK seems to have an odd infatuation with doing anything that could even remotely be deemed a health and safety risk.
Krebs on Security
FEBRUARY 1, 2019
More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol , the European Union’s law enforcement agency. In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Schneier on Security
JANUARY 28, 2019
The Japanese government is going to run penetration tests against all the IoT devices in their country, in an effort to (1) figure out what's insecure, and (2) help consumers secure them: The survey is scheduled to kick off next month, when authorities plan to test the password security of over 200 million IoT devices, beginning with routers and web cameras.
The Last Watchdog
JANUARY 28, 2019
Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear? Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Adam Shostack
FEBRUARY 1, 2019
It’s well known that adoption rates for multi-factor authentication are poor. For example, “ Over 90 percent of Gmail users still don’t use two-factor authentication.” Someone was mentioning to me that there are bonuses in games. You get access to special rooms in Star Wars Old Republic. There’s a special emote in Fortnite. (Above).
Schneier on Security
JANUARY 29, 2019
This is kind of a crazy iPhone vulnerability : it's possible to call someone on FaceTime and listen on their microphone -- and see from their camera -- before they accept the call. This is definitely an embarrassment , and Apple was right to disable Group FaceTime until it's fixed. But it's hard to imagine how an adversary can operationalize this in any useful way.
The Last Watchdog
FEBRUARY 1, 2019
Some chilling hard evidence has surfaced illustrating where stolen personal information ultimately ends up, once it has flowed through the nether reaches of the cyber underground. Wired magazine reported this week on findings by independent security researchers who have been tracking the wide open availability of a massive cache of some 2.2 billion stolen usernames, passwords and other personal data.
Dark Reading
JANUARY 31, 2019
The last thing any business needs is a swarm of myths and misunderstandings seeding common and frequent errors organizations of all sizes make in safeguarding data and infrastructure.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Adam Shostack
JANUARY 31, 2019
This is a really interesting post* about how many simple solutions to border security fail in the real world. Not everywhere has the infrastructure necessary to upload large datasets to the cloud Most cloud providers are in not-great jurisdictions for some threat models. Lying to border authorities, even by omission, ends badly. Fact is, the majority of “but why don’t you just…” solutions in this space either require lying, reliance on infrastructure that may be non-exist
Schneier on Security
JANUARY 30, 2019
The security is terrible : In a very short limited amount of time, three vulnerabilities have been discovered: Wifi credentials of the user have been recovered (stored in plaintext into the flash memory). No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption). Root certificate and RSA private key have been extracted.
The Last Watchdog
JANUARY 30, 2019
Late last year, Atrium Health disclosed it lost sensitive data for some 2.65 million patients when hackers gained unauthorized access to databases operated by a third-party billing vendor. Turn the corner into 2019 and we find Citigroup, CapitalOne, Wells Fargo and HSBC Life Insurance among a host of firms hitting the crisis button after their customers’ records turned up on a database of some 24 million financial and banking documents found parked on an Internet-accessible server — witho
Security Affairs
JANUARY 26, 2019
Experts discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files. The exploit analysis firm EdgeSpot recently discovered PDF exploit that was using steganography to hide malicious JavaScript code in images embedded in PDF files. “Shortly after last week’s discovery of a PDF exploit which used the method of this.getPageNumWords() & this.getPageNthWord() for obfuscation, we found another, but much more powerful exploit ob
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Thales Cloud Protection & Licensing
JANUARY 29, 2019
Around this time each year, Thales eSecurity releases our annual Data Threat Report (DTR). Now in its sixth year, the report is squarely focused on digital transformation and what that means for organizations and their data security. Today, it’s almost impossible to do business of any kind without some sensitive data being exchanged, managed or stored in the cloud or on servers with an outgoing connection to the web.
Elie
JANUARY 27, 2019
A critical part of child sexual abuse criminal world is the creation and distribution of child sexual abuse imagery (CSAI) on the Internet. To combat this crime efficiently and illuminate current defense short-coming, it is vital to understand how CSAI content is disseminated on the Internet. Despite the importance of the topic very little work was done on the subject so far.
The Last Watchdog
JANUARY 31, 2019
A report co-sponsored by Lloyd’s of London paints a chilling scenario for how a worldwide cyberattack could trigger economic losses of some $200 billion for companies and government agencies ill-equipped to deflect a very plausible ransomware attack designed to sweep across the globe. Related: U.S. cyber foes exploit government shutdown. The Cyber Risk Management (CyRiM) project lays out in detail how a theoretical ransomware attack – dubbed the “Bashe” campaign – could improve upon the real lif
Security Affairs
JANUARY 31, 2019
Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January. Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January. Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd , a software suite that provides fundamental building blocks for a Linux op
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Dark Reading
JANUARY 28, 2019
For Data Privacy Day, let's commit to a culture of privacy by design, nurtured by a knowledgeable team that can execute an effective operational compliance program.
WIRED Threat Level
JANUARY 30, 2019
The so-called Collections #1-5 represent a gargantuan, patched-together Frankenstein of rotting personal data.
Threatpost
JANUARY 28, 2019
The development team of the vulnerable Total Donations plugin appears to have abandoned it, and did not respond to inquiries from researchers.
Security Affairs
JANUARY 31, 2019
Cyber security expert Marco Ramilli, founder of Yoroi ,discovered a way to spread CSV malware via Google Sheets … but Big G says it is an Intended behavior. A. CSV file could be a malware carrier and if interpreted by Microsoft Excel it could become a malware executor ! When I personally saw this technique back in 2017 (please take a look to here , here and here ) I was fascinated.
Advertisement
Within the past few years, ransomware attacks have turned to critical infrastructure, healthcare, and government entities. Attackers have taken advantage of the rapid shift to remote work and new technologies. Add to that hacktivism due to global conflicts and U.S. elections, and an increased focus on AI, and you have the perfect recipe for a knotty and turbulent 2024.
Dark Reading
FEBRUARY 1, 2019
A Chicago-area family's smart home controls were compromised in a hack that has left them feeling vulnerable in their own home.
WIRED Threat Level
JANUARY 30, 2019
Can a trio of privacy advocates effect change from within Facebook—or will they be stifled by corporate bureaucracy?
Threatpost
JANUARY 29, 2019
The bug allows iPhone users to FaceTime other iOS users and eavesdrop on their conversations - even when the other end of the line doesn't pick up.
Security Affairs
JANUARY 28, 2019
Cisco released security updates to address security flaws in several products including Small Business RV320/RV325 routers and hackers are already targeting them. The tech giant addressed two serious issues in Cisco’s Small Business RV320 and RV325 routers. The first one could be exploited by a remote and unauthenticated attacker with admin privileges. to obtain sensitive information ( CVE-2019-1653 ), while the second one can be exploited for command injection ( CVE-2019-1652 ).
Speaker: Erika R. Bales, Esq.
When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.
Dark Reading
JANUARY 30, 2019
Build them carefully and maintain them rigorously, and ACLs will remain a productive piece of your security infrastructure for generations of hardware to come.before adding them to the toolbox.
WIRED Threat Level
JANUARY 28, 2019
Former FTC chief technologist Ashkan Soltani argues it's time for Silicon Valley companies to formalize and test not just their products' security, but its "abusability.".
Threatpost
JANUARY 31, 2019
A cyberattack lifts employee data at the French aerospace giant as news hits of "Collections 2-5" being passed around the underground.
Security Affairs
JANUARY 28, 2019
Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin. The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.
Speaker: William Hord, Vice President of ERM Services
A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.
Expert insights. Personalized for you.
224 
Let's personalize your content